The Committee of Sponsoring Organizations of the Treadway Commission (COSO) – an organization providing thought leadership and guidance on Internal Control, enterprise risk management (ERM) and fraud deterrence – has developed a framework for Internal Control.
Illustration: COSO`s five Components in Internal Control
The COSO framework: Five essential components in Internal Control
- Control environment
- Risk Assessment
- Control Activities
- Information & Communication
- Monitoring Activities
Does the board, management and employees understand the risk in the company? The control environment sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of Internal Control.
The identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed.
Has the entity developed control activities to reduce the identified risk? Examples of Control activities:
- Segregation of duties. Separating authorization, custody, and record keeping roles to prevent fraud or error by one person.
- Authorization of transactions. Review of particular transactions by an appropriate person.
- Retention of records. Maintaining documentation to substantiate transactions.
- IT application controls. Controls over information processing enforced by IT applications, such as edit checks to validate data entry, accounting for transactions in numerical sequences, and comparing file totals with control accounts.
Information & Communication
Systems or processes that support the identification, capture, and exchange of information in a form and period that enable people to carry out their responsibilities
A company goes through changes related to IT systems and organization all the time. This will affect the exposed risk. It is important to test the established Internal Controls and reevaluated the risk in the company when changes appears.
To be able to rely on the Internal Control, all five components must be cared for. Guidance by COSO.
Definition of Internal Control
Internal Control is defined by the COSO Framework, as a process affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
The most used Internal Control framework is the COSO report written in 1992. The report addresses a methodology for Internal Control and guidelines how to implement Internal Control.
Most companies implement Internal Control because they are obligated to do this by the legislation that the company abides to. Example of relevant laws: